0

Protecting Privileged Accounts can be the Difference Between “Managing” and “Securing” File Transfers

Posted on January 10, 2013 by Oded Valin

In the digital world in which we live, securing file transfers is critically important to personal and corporate security. Every day we send and receive sensitive information with the expectation that the services we use help us keep it secure.

But, as we re-learn constantly, vendors calling themselves ‘secure’ doesn’t always make it so. The latest egregious example is found in a high profile vulnerability discovered in a managed file transfer service used internally by Facebook employees:
http://yro.slashdot.org/story/13/01/08/1949210/serious-password-reset-hole-in-accellion-secure-ftp

In short, the vulnerability allowed an attacker to create a new user account, log in with that new account and change the password of another user, even if that other user had full administrative privileges. After that, a would-be attacker has a clear shot at any of the data in the file transfer application. Ouch!

Unfortunately, that’s what can happen when security is added as an afterthought and is not a core design principal built into the product from the ground up.

Given that Cyber-Ark’s business is all about privileged accounts and securing critical data from advanced attacks, we do know something about this. If you are looking at a truly secure file transfer service that won’t put your critical data at grave risk, here are some things you need to look for.

  1. The process used to create new users should not rely on public, generic URLs, but have a full set of security controls and optional secure workflows in place.
  2. The entire password resent process should work in a secure way:
    • It shouldn’t rely only on a HTTP POST request without asking for the user’s current password or using a unique link.
    • It shouldn’t transfer confidential parameters in a POST request without encrypting it with something stronger than BASE64.
    • The reset function should use a unique link with an expiration period, not a public, generic and insecure link.
    • It should offer the option of adding personal security question challenges to the process.
  3. Session management should be done in a secure way using a unique session ID and unique tokens. It cannot be part of the URL.
  4. Executable code should be obfuscated
  5.  The file repository should be fully encrypted and separated from the web application server in case the web portal is attacked.
  6. Follow the National Institute of Standards and Technology (NIST) guidance and “require your vendor to demonstrate that their software development processes employ state-of-the-practice software and security engineering methods, quality control processes and validation techniques”.

This sounds basic – but it’s part of the due diligence that every business should do to truly understand the level of security that has been built into the product. Just because a vendor claims to offer “secure” file transfer or cloud sharing, doesn’t make it so.

If security really matters to you, (and it should,) your best bet would be to start with a company with a “security first” approach, and the credentials to back it up.

0

NHS loses unencrypted USB stick

Posted on October 4, 2011 by Nick Lowe

A report from the Surrey and Sussex Healthcare NHS Trust in the UK has revealed that East Surrey Hospital lost the details of 800 patients in September 2010 but failed to notify any of the affected patients*. The Trust’s 2010/2011 annual report stated that the lost information had been held on an unencrypted memory stick, and included the names, dates of births and operation details of each patient.  The report also revealed a further nine “near misses” whereby information was lost but later recovered.

It’s a worrying situation when it is no longer surprising to see an NHS data breach with a lost, unencrypted USB stick at the heart of it.  Such devices – which have proven to be consistently vulnerable to loss, theft and poor security practices – must be retired.  Technology has moved on, and so should organisations looking to transfer information securely.  Only by using modern Secure File Transfer solutions can organisations be sure that their data is protected at all times, and only accessible by the intended recipient.

It’s also hugely disappointing to see that the Surrey and Sussex Healthcare Trust failed to notify the individuals affected by the data breach.  The Trust has an obligation to protect the personal information of those in its care properly, however, revelations of the poor data security and failure to notify, indicate that there are some serious flaws in its current approach.

It’s unclear just how many more of these incidents are needed before lessons are learned and changes made, but this data breach, along with the nine “near misses” mentioned in the report, will do little to inspire public faith in the NHS.

*Full Article

0

Privileged Conversations at RSA: From the Cloud to the White House

Posted on March 3, 2011 by Adam Bosnian

RSA 2011As it has every year since its inception, the RSA Conference drew a large number of security vendors, researchers, professionals and insiders of all stripes. Not surprisingly, cloud security emerged as one of the most popular themes addressed throughout the conference, partly due to the buzz and anticipation surrounding The Cloud Security Alliance Summit. That said, while the security of the cloud and other virtual environments were certainly focal points for this year’s show, several other important themes, issues and opportunities were addressed that also challenged the notion of status quo security.

As part of the mission of “Privileged Insights,” we are especially intrigued by topics that address the overarching sophistication and evolution of security threats, particularly the exploitation of privileged accounts and identities to access sensitive information. So while the CSM Summit attracted a lot of attention, and Chris Hoff, Director of Cloud and Virtualized Solutions for Cisco, delivered an insightful presentation that illuminated the importance of transparency between cloud providers and customers, it was Salesforce.com CEO Mark Benioff and Chief Trust Officer Jim Cavalieri who added a different twist to the cloud security picture—it’s not just the cloud, it’s the provider’s infrastructure that we need to worry about. Obviously, this is something that resonates well with IT security professionals.

When we examine the infrastructure of a provider’s data center, it’s realistic to expect that it could contain hundreds or thousands of servers, databases, workloads, applications, services and network devices (among other components), all exposing access points for management and control. Some of these access points are extremely powerful (i.e. privileged) while others are not.  Regardless, access points should be accessed only by authorized sources. Cyber criminals understand the potential of these networks of privileged access points and by leveraging these vulnerabilities they have transformed the cyber crime frontier, as seen with many of the recent APT attacks, such as Stuxnet.

As Symantec pointed out in their presentation, the best approach to combat Stuxnet and similar attacks is a coordinated one focused on policy, protection and monitoring controls—all central tenets of privileged identity management.

Similar takeaways were found elsewhere at RSA that justify the importance of employing “privileged insights” to security intelligence.  White House CIO Vivek Kundra explained some of the rationale behind the federal government’s increasing utilization of the cloud, including the importance of continuous monitoring.  Cyber-Ark believes for continuous monitoring efforts to be effective, they must be properly automated by privileged session management solutions. Elsewhere, the CSA officially announced the launch of a new working group, CloudSIRT – cloud security incident and response. Interestingly, a recent survey conducted by CloudSIRT found that privileged user threats were one of the main vulnerabilities recognized by cloud adopters.

The list could go on, but we’re curious, where else did you hear insightful discussions about the power of privilege at RSA?  From our perspective, it seems the discussion is now less about  the education of privileged identity management technology, it’s now evolved to a need to better understand the emerging security and compliance challenges that it can proactively help solve. Do you agree?

0

RELEASING GRIP ON EMAILS COULD BOOST PRODUCTIVITY IN PUBLIC SECTOR

Posted on February 11, 2011 by Josh Arrington

Inboxes can always be difficult to manage – filing message after message, flagging and categorising – but many organisations are still really struggling to deal with large attachments, often finding that they clog up email exchanges and slow staff down.

Indeed, Virgin Media Business has just conducted some research* and found that 69 percent of public sector workers in the UK cannot send or receive emails larger than 10 MB in size, and 89 percent are unable to send or receive emails in excess of 15 MB.  Clearly these limitations can be hugely inhibiting for staff – preventing them from sharing large files and getting the most out of the resources at hand.

Such restrictions are clearly out of date, with more information than ever flowing between staff and companies, most often via email.  In order to enhance productivity, organisations should be looking at ways to enable staff to share large files in a quick, simple and secure way.  For example, with a secure file transfer solution that takes sensitive documents out of the email exchange – delivering access to the files through a secure link – employees can enjoy a far quicker and less congested inbox.

With this clear benefit, workers stop seeing security processes as a hindrance to their performance, but rather as an enabler to better business practices.

View Full Article

2

With Privileged Insights Emerges Security Intelligence: Preparing for the Unexpected

Posted on January 25, 2011 by Udi Mokady

By Udi Mokady, CEO, Cyber-Ark
Cyber-Ark Software believes 2011 will be a significant year for the security industry.  One marked by
transformation – both in terms of increasingly sophisticated threats and encouraging technology
innovation.  Behind these changes are converging market factors such as the challenges facing
organizations that must protect against more targeted, persistent and sophisticated attacks, including
those related to Stuxnet and Wikileaks-type incidents; easing economic pressures driving new
infrastructure investments, particularly virtualization and cloud computing; and evolving internal audit
pressures and compliance requirements, such as PCI. To address these market factors, Cyber-Ark has
launched the “Privileged Insights” blog.

With our global reach, Cyber-Ark is in a fortunate position to be able to draw upon our experiences,
and those of our partners and customers, to share real-world examples of how unexpected
vulnerabilities, such as hard-coded passwords in a video conferencing system, digital copier or storage
device, can impact the overall security posture of an organization.  No longer are threats limited to
insiders and expected targets like databases and servers—we must think about the unexpected.  That
will be one of the goals of this blog, generating industry dialogue and empowering people with the
information they need to proactively manage unexpected threats by elevating awareness about the
risks of status quo security, and the need for innovation and new IT skill sets.

Cyber-Ark closed 2010 with 800 customers in more than 50 countries and strong revenues that are
driving tremendous momentum into the new year, including providing customers with proactive
security solutions for increasingly distributed architectures.  In speaking with our customers, we
understand that, particularly at the C-Level, there remains hesitation about cloud adoption due to
multiple factors including security uncertainties and the sense of a “loss of control.”  Cyber-Ark
recently produced a fun, informative video [included in this post] aimed at describing how Cyber-Ark
can help address key security issues in a cloud environment, whether you are a cloud service customer
or a cloud service provider.

Even with the growing complexity and fragmentation of the IT security space, we are optimistic about
the year to come.  Cyber-Ark is extremely well-positioned in the privileged Account Activity
Management space, one of the fastest growing segments within the identity and access management
market.  And with innovative offerings for governed file transfer, we continue to empower multi-
national organizations to initiate new business models and address their most daunting security
challenges related to how information is accessed, shared, monitored and managed.  We look forward
to sharing our stories and participating in thought-provoking discussions about the expanding threat
landscape.  And – stay tuned for more announcements coming from Cyber-Ark this year.

How do you see enterprise cloud adoption and security in the cloud evolving this year?